Why modern SIEM security solutions can save you from data and cost headaches.
If you want to reliably detect attacks across your organization, you need to see all of the activity that's happening on your network. More importantly, that activity needs to be filtered and prioritized by risk -- across assets & users – to help you report on how the team is measurably chipping away at Risk Mountain™.
Today, the only solution capable of flexibly ingesting, correlating, and visualizing data from a sprawling tool stack is a SIEM solution. SIEMs don't get a lot of love – some might say their deployment felt like a data lake glacier, where budget dollars flowed in, never to leave.
Advances in SIEM tools and customer pain are converging, as organizations are looking to cut losses on stagnant deployments and try a new approach. In this post, let's cover four misconceptions that you won't have to suffer from today's nimble and adaptive SIEMs.
MISCONCEPTION #1: SIEMs are complex, unwieldy tools that take months to deploy, and a large dedicated staff to keep running.
REALITY: Cloud architecture makes SIEM deployment quicker and maintenance easier than ever before.
More SIEM security tools today offer cloud deployment as an option, so there is no longer the need for a large, initial hardware investment. In addition, SIEM providers now provide pre-built analytics in their solutions, so security teams don't need to spend recurring hours setting up and refining detection rules as analysts comb through more and more data.
The simpler setup of SIEMs running in the cloud, combined with pre-built analytics, means that an organization can get started with SIEM security technology in just a few days instead of months, and that they won't have to continually add staff to keep the SIEM up and running effectively.
When choosing a SIEM, define the use cases you'd like the deployment to tackle and consider a Proof of Concept (POC) before making a purchase; you'll have better expectations for success and see how quickly it can identify threats and risk.
MISCONCEPTION #2: As SIEMs ingest more data, data processing costs skyrocket into the exorbitant.
REALITY: Not all SIEMs come with burdensome cost as deployment size increases.
Traditional SIEM pricing models charge by the quantity of data processed or indexed, but this model is penalizing the marketplace. SIEMs become more effective at detecting attacks as more data sources are added over time, especially those that can identify attacker behaviors.
As a result, any pricing model that discourages you from adding data sources could hamstring your SIEM's efficacy. Work with your SIEM vendor to determine what data sets you need today and may need in the future, so you can scale effectively without getting burned.
MISCONCEPTION #3: SIEMs aren't great at detection. They should primarily be used once you know where to look.
REALITY: SIEMs with modern analytics can be extremely effective at detecting real-world attack behaviors in today's complex environments.
Related to misconception number two above, if you can't process as many data sources as possible—such as endpoints, networks, and cloud services—then you are potentially limiting your SIEM's ability to detect anomalies and attacks in your environment.
In fact, there are many traces of attackers that require the comprehensive data sets fed into SIEM. Two examples are detecting the use of stolen passwords and lateral movement, extremely common behaviors once an attacker has access to the network. At Rapid7, we detect this by first linking together IP Address > Asset > User data and then using graph mining and entity relationship modeling to track what is “normal” in each environment. Outside of SIEMs and User Behavior Analytics (UBA) solutions, this is incredibly hard to detect.
In a nutshell: SIEM security tools need that data to be effective, so if you restrict the data coming in, it won't be as effective. A SIEM with modern analytics will be capable of detecting real-world attack behaviors earlier in the attack chain.
MISCONCEPTION #4: SIEMs can ingest and centralize log files and network data, but have limited coverage for cloud services and remote workers.
REALITY: Today's SIEMs can and should account for data coming in from cloud and endpoints.
Network-only data sources may be the norm for more traditional SIEMs on the market, but newer SIEMs also pull in data from endpoints and cloud services to make sure you're detecting attacker behavior no matter where it may occur. Just as the perimeter has shifted from the corporate network walls to the individual user, SIEMs have had to adapt to collect more data from everywhere these users work, namely endpoints and cloud services. Make sure any SIEM security solution you're considering can integrate these additional data sources, not just traditional log files and network data.
At Rapid7, we feel strongly that customers shouldn't have to deal with these past pitfalls, and this mindset is expressed throughout InsightIDR, our solution for incident detection and response. On Gartner's Peer Insights page, we've been recognized by customers for resetting expectations around time to value and ease of use:
“We are able to monitor many sources with a very small security team and provide our clients with the peace of mind usually only achieved with large security departments.”
“[InsightIDR]… on its own, mitigated against 75% of identified threats within our organisation, but with the simplicity of use even my granny could get to grips with.”